==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x265/0x2b0 kernel/locking/spinlock_debug.c:114
Read of size 4 at addr ffff888044a74c04 by task syz-executor.2/13455

CPU: 1 PID: 13455 Comm: syz-executor.2 Not tainted 6.1.0-syzkaller-14446-g8395ae05cb5a #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:306 [inline]
 print_report+0x15e/0x45d mm/kasan/report.c:417
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
 debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 do_raw_spin_lock+0x265/0x2b0 kernel/locking/spinlock_debug.c:114
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0x45/0x60 kernel/locking/spinlock.c:162
 p9_tag_remove net/9p/client.c:385 [inline]
 p9_req_put net/9p/client.c:393 [inline]
 p9_req_put+0xca/0x250 net/9p/client.c:390
 req_done+0x1e2/0x2e0 net/9p/trans_virtio.c:148
 vring_interrupt drivers/virtio/virtio_ring.c:2470 [inline]
 vring_interrupt+0x2a1/0x3d0 drivers/virtio/virtio_ring.c:2445
 __handle_irq_event_percpu+0x264/0x970 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x263/0xd00 kernel/irq/chip.c:819
 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
 handle_irq arch/x86/kernel/irq.c:231 [inline]
 __common_interrupt+0xa1/0x210 arch/x86/kernel/irq.c:250
 common_interrupt+0xa8/0xd0 arch/x86/kernel/irq.c:240
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:check_preemption_disabled+0x35/0x170 lib/smp_processor_id.c:55
Code: 89 fd 53 0f 1f 44 00 00 65 44 8b 25 41 b7 fd 75 65 8b 1d 36 b7 fd 75 81 e3 ff ff ff 7f 31 ff 89 de 0f 1f 44 00 00 85 db 74 11 <0f> 1f 44 00 00 44 89 e0 5b 5d 41 5c 41 5d 41 5e c3 0f 1f 44 00 00
RSP: 0018:ffffc900212bf8c8 EFLAGS: 00000202
RAX: 0000000000000001 RBX: 0000000000000002 RCX: ffffffff8163f840
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: ffffffff8aa6ba80 R08: 0000000000000000 R09: ffffffff8e72d6d7
R10: fffffbfff1ce5ada R11: 0000000000000000 R12: 0000000000000001
R13: ffffffff8aa6ba40 R14: ffff88801e69b5d8 R15: 0000000000000000
 rcu_dynticks_curr_cpu_in_eqs include/linux/context_tracking.h:121 [inline]
 rcu_is_watching+0x12/0xb0 kernel/rcu/tree.c:713
 rcu_read_lock_held_common kernel/rcu/update.c:108 [inline]
 rcu_read_lock_sched_held+0x20/0x70 kernel/rcu/update.c:123
 trace_lock_acquire include/trace/events/lock.h:24 [inline]
 lock_acquire+0x500/0x630 kernel/locking/lockdep.c:5639
 __might_fault mm/memory.c:5647 [inline]
 __might_fault+0x10c/0x180 mm/memory.c:5640
 _copy_from_user+0x29/0x170 lib/usercopy.c:13
 copy_from_user include/linux/uaccess.h:161 [inline]
 get_compat_msghdr+0x87/0x150 net/compat.c:91
 recvmsg_copy_msghdr net/socket.c:2659 [inline]
 ___sys_recvmsg+0x172/0x180 net/socket.c:2733
 do_recvmmsg+0x554/0x6e0 net/socket.c:2823
 __sys_recvmmsg+0x242/0x250 net/socket.c:2910
 __do_compat_sys_recvmmsg_time32 net/compat.c:417 [inline]
 __se_compat_sys_recvmmsg_time32 net/compat.c:413 [inline]
 __ia32_compat_sys_recvmmsg_time32+0xc6/0x160 net/compat.c:413
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7f41549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7f1b5cc EFLAGS: 00000296 ORIG_RAX: 0000000000000151
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200000c0
RDX: 0000000000010106 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Allocated by task 13471:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:371 [inline]
 ____kasan_kmalloc mm/kasan/common.c:330 [inline]
 __kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:380
 kmalloc include/linux/slab.h:580 [inline]
 p9_client_create+0xb3/0x1070 net/9p/client.c:964
 v9fs_session_init+0x1e6/0x18b0 fs/9p/v9fs.c:408
 v9fs_mount+0xbe/0xca0 fs/9p/vfs_super.c:126
 legacy_get_tree+0x109/0x220 fs/fs_context.c:610
 vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
 do_new_mount fs/namespace.c:3145 [inline]
 path_mount+0x132a/0x1e20 fs/namespace.c:3475
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount fs/namespace.c:3674 [inline]
 __ia32_sys_mount+0x282/0x300 fs/namespace.c:3674
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Freed by task 13471:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0xaf/0x3b0 mm/slub.c:3800
 p9_client_create+0x7aa/0x1070 net/9p/client.c:1035
 v9fs_session_init+0x1e6/0x18b0 fs/9p/v9fs.c:408
 v9fs_mount+0xbe/0xca0 fs/9p/vfs_super.c:126
 legacy_get_tree+0x109/0x220 fs/fs_context.c:610
 vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
 do_new_mount fs/namespace.c:3145 [inline]
 path_mount+0x132a/0x1e20 fs/namespace.c:3475
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount fs/namespace.c:3674 [inline]
 __ia32_sys_mount+0x282/0x300 fs/namespace.c:3674
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Last potentially related work creation:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:488
 __call_rcu_common.constprop.0+0x99/0x820 kernel/rcu/tree.c:2755
 fib6_info_release include/net/ip6_fib.h:340 [inline]
 nsim_rt6_release drivers/net/netdevsim/fib.c:515 [inline]
 nsim_fib6_event_fini+0x18f/0x240 drivers/net/netdevsim/fib.c:841
 nsim_fib_event drivers/net/netdevsim/fib.c:891 [inline]
 nsim_fib_event_work+0x329/0x24a0 drivers/net/netdevsim/fib.c:1492
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 process_scheduled_works kernel/workqueue.c:2352 [inline]
 worker_thread+0x858/0x1090 kernel/workqueue.c:2438
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Second to last potentially related work creation:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:488
 kvfree_call_rcu+0x78/0x8f0 kernel/rcu/tree.c:3376
 drop_sysctl_table+0x3c0/0x4e0 fs/proc/proc_sysctl.c:1709
 unregister_sysctl_table fs/proc/proc_sysctl.c:1747 [inline]
 unregister_sysctl_table+0xc4/0x190 fs/proc/proc_sysctl.c:1722
 neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3873
 devinet_sysctl_unregister net/ipv4/devinet.c:2639 [inline]
 inetdev_destroy net/ipv4/devinet.c:328 [inline]
 inetdev_event+0x1097/0x16c0 net/ipv4/devinet.c:1603
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1944
 call_netdevice_notifiers_extack net/core/dev.c:1982 [inline]
 call_netdevice_notifiers net/core/dev.c:1996 [inline]
 unregister_netdevice_many_notify+0xa2b/0x19e0 net/core/dev.c:10839
 vti6_exit_batch_net+0x3a4/0x670 net/ipv6/ip6_vti.c:1188
 ops_exit_list+0x125/0x170 net/core/net_namespace.c:174
 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:606
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x669/0x1090 kernel/workqueue.c:2436
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

The buggy address belongs to the object at ffff888044a74c00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 4 bytes inside of
 512-byte region [ffff888044a74c00, ffff888044a74e00)

The buggy address belongs to the physical page:
page:ffffea0001129d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44a74
head:ffffea0001129d00 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffff888012442c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 12616960395, free_ts 0
 prep_new_page mm/page_alloc.c:2531 [inline]
 get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549
 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2118
 alloc_pages+0x233/0x270 mm/mempolicy.c:2280
 alloc_slab_page mm/slub.c:1851 [inline]
 allocate_slab+0x25f/0x350 mm/slub.c:1998
 new_slab mm/slub.c:2051 [inline]
 ___slab_alloc+0xa91/0x1400 mm/slub.c:3193
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
 __slab_alloc_node mm/slub.c:3345 [inline]
 slab_alloc_node mm/slub.c:3442 [inline]
 __kmem_cache_alloc_node+0x1a4/0x430 mm/slub.c:3491
 kmalloc_trace+0x26/0x60 mm/slab_common.c:1062
 kmalloc include/linux/slab.h:580 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 wbt_init+0x4f/0x720 block/blk-wbt.c:843
 wbt_enable_default+0x21f/0x290 block/blk-wbt.c:673
 blk_register_queue+0x279/0x550 block/blk-sysfs.c:820
 device_add_disk+0x792/0xfb0 block/genhd.c:485
 add_disk include/linux/blkdev.h:751 [inline]
 nbd_dev_add+0x848/0xc20 drivers/block/nbd.c:1824
 nbd_init+0x29b/0x2ab drivers/block/nbd.c:2527
 do_one_initcall+0x141/0x790 init/main.c:1306
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888044a74b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888044a74b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888044a74c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888044a74c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888044a74d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	89 fd                	mov    %edi,%ebp
   2:	53                   	push   %rbx
   3:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   8:	65 44 8b 25 41 b7 fd 	mov    %gs:0x75fdb741(%rip),%r12d        # 0x75fdb751
   f:	75
  10:	65 8b 1d 36 b7 fd 75 	mov    %gs:0x75fdb736(%rip),%ebx        # 0x75fdb74d
  17:	81 e3 ff ff ff 7f    	and    $0x7fffffff,%ebx
  1d:	31 ff                	xor    %edi,%edi
  1f:	89 de                	mov    %ebx,%esi
  21:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  26:	85 db                	test   %ebx,%ebx
  28:	74 11                	je     0x3b
* 2a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1) <-- trapping instruction
  2f:	44 89 e0             	mov    %r12d,%eax
  32:	5b                   	pop    %rbx
  33:	5d                   	pop    %rbp
  34:	41 5c                	pop    %r12
  36:	41 5d                	pop    %r13
  38:	41 5e                	pop    %r14
  3a:	c3                   	retq
  3b:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)